iPLATO is already compliant with the General Data Protection Regulation
What is the GDPR?
The General Data Protection Regulation (GDPR) ((EU) 2016/679) by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).
Currently, the United Kingdom (UK) relies on the Data Protection Act 1998, which was enacted following the 1995 EU Data Protection Directive, but this will be superseded by the new legislation. It introduces tougher fines for non-compliance and breaches, and gives people more say over what companies can do with their data. It also makes data protection rules more or less identical throughout the EU.
The GDPR will apply in all EU member states from 25 May 2018. Because GDPR is a regulation, not a directive, the UK does not need to draw up new legislation – instead, it will apply automatically.
What about Brexit, will UK businesses still need to comply with GDPR?
GDPR will come into force before the UK leaves the European Union. Both the Information Commissioner and the UK government has confirmed that GDPR will still apply to organisations in the United Kingdom ensuring the country’s data protection framework is “suitable for our new digital age, allowing citizens to better control their data.”
A primary reason why the UK is obligated to comply with the GDPR is the crossover timeframe between enforcement of the GDPR and the exit of the UK from the European Union. Additionally, the GDPR rules reach outside the EU which means UK companies that are doing business with the EU post Brexit must comply with the GDPR to avoid infringement of the rules.
What impact will GDPR have on the iPLATO services and what has iPLATO been doing about it?
The new General Data Protection Regulation comes into force in May 2018. The regulations are extensive and for over 12 months we have been working with external specialist legal counsel to ensure unconditional compliance. iPLATO has updated contractual documentation and adopted/modified applicable operational processes to cover the new requirements. These includes the enhanced transparency requirements for both Data Controllers and Data Processors, the enhancement of existing and implementation of new Patient rights (specifically pertaining to data portability and the right to be forgotten) and finally the security measures and data security breach notification requirements.